summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2019-04-03 23:40:04 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2019-04-04 13:19:33 +0200
commit3edb96200690b804ceb76a9fb0ae441ed7d4d8f0 (patch)
tree76580b8f2fe88638ba8231d50e453da88511034d
parent3b29acc8f29944c5cf34259f2e2b5b40b4d0ccdd (diff)
parser_bison: missing tproxy syntax with port only for inet family
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000 Error: syntax error, unexpected colon add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000 ^ Syntax with no protocol for tproxy complains with: # nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000 Error: Conflicting network layer protocols. add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000 ^^^^^^^^^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat
-rw-r--r--src/parser_bison.y6
-rw-r--r--tests/py/inet/tproxy.t5
-rw-r--r--tests/py/inet/tproxy.t.payload26
-rw-r--r--tests/py/ip/tproxy.t2
-rw-r--r--tests/py/ip/tproxy.t.payload8
-rw-r--r--tests/py/ip6/tproxy.t2
-rw-r--r--tests/py/ip6/tproxy.t.payload7
7 files changed, 52 insertions, 4 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 65b3fb3e..50642b4e 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2687,6 +2687,12 @@ tproxy_stmt : TPROXY TO stmt_expr
$$->tproxy.addr = $4;
$$->tproxy.port = $6;
}
+ | TPROXY nf_key_proto TO COLON stmt_expr
+ {
+ $$ = tproxy_stmt_alloc(&@$);
+ $$->tproxy.family = $2;
+ $$->tproxy.port = $5;
+ }
;
primary_stmt_expr : symbol_expr { $$ = $1; }
diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t
index f80f7734..0ba78ef1 100644
--- a/tests/py/inet/tproxy.t
+++ b/tests/py/inet/tproxy.t
@@ -15,6 +15,7 @@ meta l4proto 6 tproxy ip6 to [2001:db8::1];ok
meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok
ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail
-meta l4proto 17 tproxy ip to :50080;fail
-meta l4proto 17 tproxy ip6 to :50080;fail
+meta l4proto 17 tproxy ip to :50080;ok
+meta l4proto 17 tproxy ip6 to :50080;ok
meta l4proto 17 tproxy to :50080;ok
+ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000;ok
diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload
index 4b18460d..8a6ba036 100644
--- a/tests/py/inet/tproxy.t.payload
+++ b/tests/py/inet/tproxy.t.payload
@@ -35,3 +35,29 @@ inet x y
[ immediate reg 1 0x0000a0c3 ]
[ tproxy port reg 1 ]
+# meta l4proto 17 tproxy ip to :50080
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip port reg 1 ]
+
+# meta l4proto 17 tproxy ip6 to :50080
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip6 port reg 1 ]
+
+# ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
+inet x y
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00000000 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x0000d007 ]
+ [ tproxy ip port reg 1 ]
+
diff --git a/tests/py/ip/tproxy.t b/tests/py/ip/tproxy.t
index dbd8f5e9..966898c0 100644
--- a/tests/py/ip/tproxy.t
+++ b/tests/py/ip/tproxy.t
@@ -11,4 +11,4 @@ meta l4proto 6 tproxy to 192.0.2.1:50080;ok
ip protocol 6 tproxy to :50080;ok
meta l4proto 17 tproxy ip to 192.0.2.1;ok;meta l4proto 17 tproxy to 192.0.2.1
meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok;meta l4proto 6 tproxy to 192.0.2.1:50080
-ip protocol 6 tproxy ip to :50080;fail
+ip protocol 6 tproxy ip to :50080;ok
diff --git a/tests/py/ip/tproxy.t.payload b/tests/py/ip/tproxy.t.payload
index 035651f4..dfe830ec 100644
--- a/tests/py/ip/tproxy.t.payload
+++ b/tests/py/ip/tproxy.t.payload
@@ -34,3 +34,11 @@ ip x y
[ immediate reg 1 0x010200c0 ]
[ immediate reg 2 0x0000a0c3 ]
[ tproxy ip addr reg 1 port reg 2 ]
+
+# ip protocol 6 tproxy ip to :50080
+ip x y
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip port reg 1 ]
+
diff --git a/tests/py/ip6/tproxy.t b/tests/py/ip6/tproxy.t
index 4e48d81f..48fe4ca7 100644
--- a/tests/py/ip6/tproxy.t
+++ b/tests/py/ip6/tproxy.t
@@ -11,4 +11,4 @@ meta l4proto 17 tproxy to [2001:db8::1]:50080;ok
meta l4proto 6 tproxy to :50080;ok
meta l4proto 6 tproxy ip6 to [2001:db8::1];ok;meta l4proto 6 tproxy to [2001:db8::1]
meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok;meta l4proto 17 tproxy to [2001:db8::1]:50080
-meta l4proto 6 tproxy ip6 to :50080;fail
+meta l4proto 6 tproxy ip6 to :50080;ok
diff --git a/tests/py/ip6/tproxy.t.payload b/tests/py/ip6/tproxy.t.payload
index c78c8a1d..9f28e80b 100644
--- a/tests/py/ip6/tproxy.t.payload
+++ b/tests/py/ip6/tproxy.t.payload
@@ -35,3 +35,10 @@ ip6 x y
[ immediate reg 2 0x0000a0c3 ]
[ tproxy ip6 addr reg 1 port reg 2 ]
+# meta l4proto 6 tproxy ip6 to :50080
+ip6 x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip6 port reg 1 ]
+